Proposal 27: Continuous Security Audits


Security is crucial for any blockchain project. The bugs cost a lot. One of the obligatory security measures every team must consider is timely security reviews of the code by third-party specialists. The usual scheme is develop-audit-recheck-deploy. However, for Powerpool, the development speed is very high, and the traditional approach doesn’t work well.

Instead of making big isolated releases, the team moves at a high pace and delivers updates of the code every month. This makes it hard to plan the audits and demands some pre-booked time of the auditing team, so it can quickly react to the inputs from the development team.


We outline the following objectives of the continuous reviews:

  1. Increase the overall security of the final code.
  2. Increase the efficiency and decrease the cost of the development.
  3. Speed up the delivery of the security reports, allowing the team to deliver more code and product updates

We propose the following measures:

Dedicated time of the audit team. Each month we pre-book a fixed amount of time for the security reviews of the new code developed by PowerPool project. This allows us to have availability for security audits of PowerPool code when it is ready to be audited, and deliver the audit reports within a month.

  1. We book the timeslot at least one month in advance, so we can arrange our schedule accordingly. We advice PowerPool team to inform us about changes of the code delivery date as early as possible, so we have the possibility to adjust the timeslot.
  2. If the code is not ready for the audit by the beginning of the reserved timeslot, in most cases, we won’t be able to move the timeslot ad hoc.
  3. If the amount of time needed on the audit of the delivered code exceeds the booked time slot, the audit continues in the next month.

Of course, in any of “edge cases” we will actively cooperate with the PowerPool team to fulfill the needs of the project in the most timely manner.

Continuous project support. We make “global” recommendations on the system design, documentation, tools, and development practices as early as possible.

When the new code is delivered, we start to review all code changes and prepare the report with found vulnerabilities, bugs, bad practices, and inconsistencies with the planned functionality.


6600 USD / month

This includes 40 dedicated man-hours of the security team.

For reference, usually, we spend 40 man-hours on the audit of 1000 physical lines of unique code (sloc-p) written in Solidity, including preparation of the audit report, interaction with the development team, and one re-check of amendments made based on the result of the audit.

The payment procedure

The continuous security reviews service will be paid from the community funds. For this purpose, the team will send CVP from a multi-sig wallet at the end of every month based on the CVP/USDC exchange rate calculated at aggregator.

The address to be used for payments is:


The auditors team will provide detailed reports regarding their work with PowerPool code every month on the community forum, including security reports.

Approving this proposal, you vote FOR starting continuous security reviews by Pessimistic paid by the CVP community

Rejecting this proposal, you declining continuous security reviews for PowerPool code offered by Pessimistic

The proposal seems reasonable. Pricing seems fair too. I take it that you are a representative of Pessimistic, Alexander?

@powerpoolAdmin have we considered other auditors? How does this align with our desire to double audit all code? Do we need to commission another continual auditor?

Last, I suggest that any auditor should not be eligible for the bug bounty programme. I suppose that this was obvious, but it hasn’t been written down anywhere as far as I know. Can we add that to the proposal?

Is it only for audits or white hat programs fall under this as well? In general very supportive of this!

White hat would go under the bug bounty programme: Proposal 25: Bug bounty programme

1 Like

Very reasonable!
But I believe it should be combined with the Bug bounty proposal

Bug bounty proposal has passed. I think this proposal is different enough. I support it.

I absolutely support it as well